Information asset management system, log analysis server, log analysis program, and portable medium

ABSTRACT

An information asset management system in a network environment includes a monitoring program  11  that monitors operation events performed by users and creates terminal logs  12 , a terminal log collection program  21  that stores an integrated log  22  created by collecting the terminal logs  12 , and a correlation analysis program  31  that analyzes the whereabouts of information assets using the integrated log  22 . When the user exports an information asset from the network environment and when the user imports the information asset into the network environment, the monitoring program  11  monitors these export and import events including feature values of the information assets. The correlation analysis program  31  compares a pre-export feature value of each information asset with a post-import feature value of each information asset to determine whether the information assets are identical and reports a list of information assets in the organization.

INCORPORATION BY REFERENCE

This application claims priority based on Japanese patent applications,No. 2007-099450 filed on Apr. 5, 2007 and No. 2007-156371 filed on Jun.13, 2007, the entire contents of which are incorporated herein byreference.

BACKGROUND OF THE INVENTION

The present invention relates to an information asset managementreporting technology for visualizing and reporting the whereabouts ofinformation assets under management of an organization.

Information such as personal information or trade secrets in anorganization has recently been increasingly computerized. Thecomputerized information is provided as files on a computer or as datain a memory. Leakage of files containing such information frequentlyoccurs, causing significant damage. In the following description, a filecontaining confidential information such as personal information ortrade secrets will be referred to as an “information asset”. Since suchinformation assets are files, they are easily duplicated, transferred,and processed and it is difficult to manage and determine theirwhereabouts (or locations). It is nearly impossible to determine usageof information assets such as how and by whom they are used. Forexample, it is very difficult to cope with accidental leaks such asleakage of information assets that were duplicated without the user'sknowledge or leakage of information assets due to forgetting to deletethem although they should be deleted according to the rules of theorganization.

Outsourcing companies mostly conduct work using information assetsreceived from customers. Outsourcing companies should delete informationassets received from customers after the term of the outsourcingcontract expires. Thus, it can be easily expected that outsourcingcompanies need to prove to customers that they have properly handled theinformation assets and also to delete the information assets withoutleakage after the term of the contract expires.

To deal with the risk of authorized users easily taking (or exporting)information assets or copies of information assets outside a networkenvironment under management or a file management system (hereinafterreferred to as a “network environment”), Japanese Unexamined PatentApplication Publication No. 2006-518893 (Document 1) suggested a systemthat monitors and reports usage of information assets in the networkenvironment to a manager, thereby easily detecting unexpected behaviorpatterns. With knowledge of where information assets under management ofan organization are present, this system can detect, for example,whether or not any file has been sent as an email attachment, whether ornot any file has been uploaded to a common storage region on theInternet, and whether or not any file has been written to a UniversalSerial Bus (USB) flash memory or CD-Recordable (CD-R)/Digital VersatileDisk Recordable (DVD-R).

Google has introduced “Enterprise Solution”(URL:http://www.google.co.jp/enterprise/) (Document 2). To determinewhere information assets are present in a network environment, thissystem crawls files and indexes the contents of the files to findinformation assets at high speed. This system permits a user who desiresto find an information asset to quickly locate the information assetsimply by specifying a keyword.

According to a system disclosed in Japanese Patent ApplicationPublication (JP-A) No. 2005-109779 (Document 3), to prevent an encryptedfile from being decrypted at an arbitrary Personal Computer (PC), adependent file for generating a decryption key is stored in specific PCsso that the decoding key can be generated only at the specific PCs whichcontain the dependent file. Even if information assets are exported toan arbitrary PC, this system prevents leakage of the information assetsby preventing decryption of the information assets at the PC.

SUMMARY OF THE INVENTION

To determine the whereabouts of information assets that are easilyduplicated, transferred, and processed, it is necessary to keep tack ofthe information assets. For example, when information assets areexported to a USB flash memory, CD-R/DVD-R, paper, an email, or the likenot under management of the network environment of an organization andare then returned to be under management of the network environment, itis necessary to keep tack of the information assets. According to theconventional technology described in Document 1, when a pair of eventsof an information asset (or file) has occurred, for example when theinformation asset is imported to again be under management of thenetwork environment after being exported out of management, it is notpossible to determine whether the imported information asset is a newfile or the same as has been under management of the networkenvironment.

It is also necessary to keep tack of information assets when theinformation assets are kept under management of the network environmentof an organization. For example, when an event of file format conversionsuch as compression or encryption of a file has occurred, it is alsonecessary to determine whether or not the converted file is aninformation asset. According to the conventional technology described inDocument 2, when the format of a file has been converted, it isdifficult to index the contents of the converted file and is notpossible to determine if the converted file is an information asset.

In addition, it is necessary to keep tack of an information asset storedin a portable medium such as a USB flash memory or a compact flashmemory card and also to keep track of the information asset when theportable medium containing the information asset is coupled, forexample, to a PC at home not under management of the network environmentand the information asset is then copied from the portable medium to thePC. Further, it is necessary to prevent unauthorized use of aninformation asset such as copying of the information asset to a PC athome via a portable medium and also to prevent leakage of informationassets from a lost or stolen portable medium.

The invention provides an information asset management system, aninformation asset analysis server, an information asset analysis programand portable medium which can manage and report information assets thatare under management of a network environment even when various eventshave occurred in association with the information assets.

One embodiment of the invention provides an information asset managementsystem in a network environment coupled to both a terminal that isoperated by a user and a log analyzer including a log analysis program,wherein the terminal includes a monitoring unit that monitors operationsperformed by the user and outputs a terminal log including respectivefeature values of an information asset before and after a pair of eventsof the information asset occurs, and the log analyzer includes acorrelation analyzer that determines whereabouts of the informationasset by analyzing an integrated log, which is created by integratingterminal logs collected over a network, based on feature values in theintegrated log and reports analysis results obtained through thecorrelation analyzer.

In this embodiment, in the network environment under management of anorganization, files (or operation events performed by the user forfiles) are monitored together with their feature values when a pair ofexport and import events of each file (for example, a pair of an eventof exporting the file from the network environment to a USB flashmemory, a CD-R/DVD-R, paper, an email, or the like and an event ofimporting the file back into the network environment) occurs. Here, thelog analyzer compares a post-import feature value of each informationasset (i.e., each file) with a pre-export feature value of eachinformation asset to determine whether or not the information assets areidentical and reports a list of information assets in the organization.

In addition, in the network environment under management of anorganization, files are monitored together with their feature valuesgenerated when file format conversion such as compression or encryptionis performed and files are monitored together with their new featurevalues generated when inverse file format conversion such asdecompression or decryption is performed. Here, the log analyzercompares a post-inverse-conversion feature value of each informationasset with a pre-conversion feature value of each information asset todetermine whether or not the information assets are identical andreports a list of information assets in the organization.

In another embodiment of the invention, when writing is performed to aportable medium such as a USB flash memory or a compact flash memorycard, only a file in a conditional self-decodable format (conditionalself-decryption file) having conditions for decryption is permitted tobe written to the portable medium. The conditions for decryption includea condition for determining whether or not a portable medium coupled toa PC to decrypt a file is a specified one and a condition fordetermining whether or not a PC coupled to the portable medium is aspecified one. Accordingly, when a file is decrypted, a log indicatingsuccess or failure of the decryption and the PC to which the portablemedium is coupled (also referred to as a “coupling destination PC”) isleft in the portable medium, and leakage of information assets tounspecified PCs is prevented.

The information asset management system according to the invention has avariety of advantages. One advantage is that it is possible to keep tackof files that are specified as information assets in an organization.For example, it is possible to correctly and easily identify informationassets which are present in a location with a high risk of leakage suchas a portable medium. It is also possible to correctly and easilydetermine where information assets, which should be deleted since theterm of the contract expires, are in an outsourcing company even whenthey have been encrypted.

These and other benefits are described throughout the presentspecification. A further understanding of the nature and advantages ofthe invention may be realized by reference to the remaining portions ofthe specification and the attached drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates the overall configuration of an information assetmanagement reporting system according to a first embodiment of theinvention.

FIG. 2 is a block diagram illustrating a client in the first embodiment.

FIG. 3 illustrates data in a terminal log and an integrated log in thefirst embodiment.

FIG. 4 illustrates data in an information asset list in the firstembodiment.

FIG. 5 is a flow chart illustrating the operation of a monitoringprogram in the first embodiment.

FIG. 6 is a flow chart illustrating the operation of a correlationanalysis program in the first embodiment.

FIG. 7 illustrates an example of log analysis in association withnetwork communication in the first embodiment.

FIG. 8 illustrates an example of log analysis in association with use ofa portable medium in the first embodiment.

FIG. 9 illustrates an example of log analysis in association withprinting in the first embodiment.

FIG. 10 illustrates an example of a screen interface which displays aninformation asset list in the first embodiment.

FIG. 11 illustrates another example of a screen interface which displaysan information asset list in the first embodiment.

FIG. 12 illustrates an example of log analysis in association with fileformat conversion in a second embodiment of the invention.

FIG. 13 illustrates the overall configuration of an information assetmanagement reporting system according to a third embodiment of theinvention.

FIG. 14 is a block diagram illustrating a portable medium in the thirdembodiment.

FIG. 15 is a flow chart illustrating the operation of the informationasset management reporting system when a file is exported to a portablemedium in the third embodiment.

FIG. 16 illustrates an example of a WF screen when a file is exported toa portable medium in the third embodiment.

FIG. 17 is a flow chart illustrating the operation of an exportdestination of a portable medium when a file is exported to the portablemedium in the third embodiment.

FIG. 18 illustrates data contained in and associated with an exportmanagement database in the third embodiment.

DETAILED DESCRIPTION OF THE EMBODIMENTS

Preferred embodiments of an information asset management systemaccording to the invention will now be described with reference to theaccompanying drawings.

FIG. 1 illustrates the overall configuration of an information assetmanagement reporting system 100 that is the first embodiment of theinvention. The information asset management reporting system 100, whichprovides a network environment, includes one or more clients 10 a and 10b, a log collection server 20, and a log analysis server 30 which arecoupled wired or wirelessly to a network 40. The clients 10 a and 10 bare terminals such as PCs. The log collection server 20 functions as alog collector and the log analysis server 30 functions as a loganalyzer. In the information asset management reporting system 100, anInternet server 41, a multifunction printer 60, and an index server 70are also coupled to the network 40.

The Internet server 41 is an email server, a proxy server, or the like.The email server 41 relays and stores emails 43 transmitted and received(exchanged) within the network 40 or over the Internet 42. The proxyserver relays web data that are communicated over the Internet 42. Themultifunction printer 60 is a device that prints information on paper 61in response to a printing request from the client 10 a or 10 b(hereinafter also referred to as “client 10”) and scans and savesinformation printed on the paper 61 as a file. The index server 70 is anapparatus that crawls files stored in the clients 10 a and 10 b or filesor emails stored in the Internet server 41 at regular intervals andindexes the crawled files or emails, thereby allowing users 1 a and 1 bto quickly search for desired information simply by specifying a searchkeyword or the like.

In addition, in the information asset management reporting system 100, aportable medium 50 such as a CD-R/DVD-R, a USB flash memory, or a floppydisk can be coupled to the client 10 and the client 10 can exchangefiles with the portable medium 50.

Here, it is assumed unless otherwise stated that one client 10 isallocated to each user. The client 10 may also be allocated to two ormore users. In this case, the client 10 identifies and authenticateseach user to determine which user has used the client 10. In thefollowing description, it is assumed for ease of explanation that a user1 a uses the client 10 a and a user 1 b uses the client 10 b to conducttasks in an organization. It is also assumed that a manager 2 operatesthe log analysis server 30.

The software architectures of the client (terminal) 10, the logcollection server 20, and the log analysis server 30 will now bedescribed with reference to FIG. 1. The client 10 runs a monitoringprogram 11, which closely monitors and records operation eventsperformed by the user 1 on the client 10, and stores a terminal log 12created as a record of output of the monitoring program 11. Themonitoring program 11 implements a monitoring unit of the client 10 inthis embodiment. The log collection server 20 runs a terminal logcollection program 21, which implements a log collector for collectingterminal logs 12 a and 12 b, and stores an integrated log 22 created bythe collection of the terminal log collection program 21. The loganalysis server 30 runs a correlation analysis program 31, whichimplements a correlation analyzer for analyzing the integrated log 22and visualizing the whereabouts of information assets in theorganization, and stores an information asset list 32 created by theanalysis of the correlation analysis program 31.

There is no need to install the same operating system (OS) on theclients 10 a and 10 b, and different monitoring programs 11 a and 11 bmay run on different OSs in the clients 10 a and 10 b. The integratedlog 22 created by collecting the terminal logs 12 a and 12 b needs tohave a unified format when different OSs have been installed on theclients 10 a and 10 b.

The following is a description of the configuration of the client 10with reference to FIG. 2 which is a block diagram of the client 10. Theclient 10 includes, as hardware components, a processor (or CPU) 201, amemory 202, a storage device 203, a communicator 204, a display unit205, an operating unit 206, and a portable medium coupler 207 which arecoupled to each other through a bus 208. The processor 201 is a CentralProcessing Unit (CPU) that controls the client 10 and performscalculation and processing of data. The memory 202 is a main memorydevice that temporarily stores data or programs in the client 10 and isreadable and writable directly by the CPU 201. The storage device 203stores data or programs to prevent them from being erased when theclient 10 is powered off. The communicator 204 communicates with thenetwork 40 by wire or wirelessly. The display unit 205 displays datacalculation and processing results on a display or the like to presentthe results to the user 1. The operating unit 206 receives keyboard ormouse inputs from the user 1. The portable medium coupler 207 is used toread and write data or the like from and to the portable medium 50. Themonitoring program 11 is loaded into the memory 202 to be executed bythe CPU 201. The terminal log 12 is stored in the storage device 203.

Each of the log collection server 20 and the log analysis server 30 hasthe same hardware configuration as that of the client 10 shown in theblock diagram of FIG. 2. However, each of the log collection server 20and the log analysis server 30 may not include the portable mediumcoupler 207. In addition, the integrated log 22 or the information assetlist 32 is stored in the storage device 203, and the processor (CPU) 201runs the terminal log collection program 21 as the terminal logcollector and the correlation analysis program 31 as the correlationanalyzer. Of course, the log collection server 20 and the log analysisserver 30 may be integrated into a single server.

The following is a description of data formats of the terminal log 12,the integrated log 22, and the information asset list 32 with referenceto FIGS. 3 and 4.

FIG. 3 illustrates the data formats of the terminal log 12 and theintegrated log 22. The terminal log 12 is a record of events such asexport or import and file format conversion on the client 10 that themonitoring program 11 has monitored and stored in the storage device203. The terminal log 12 is table data having zero or more entries, eachof which includes a date and time (301) indicating the date and timewhen an event occurred, a path 1 (302), a file name 1 (303), and afeature value 1 (304), which are pre-event file attributes, an event(305) indicating the type of the event, and a path 2 (306), a file name2 (307), and a feature value 2 (308) which are post-event fileattributes. Each of the path 1 (302) and the path 2 (306) is a path thatcan be uniquely identified in the network environment of the informationasset management reporting system 100 and has, for example, one of thefollowing formats and may also have any other appropriate format.

-   -   “computer name”+“drive letter”+“path on hard disk”    -   “computer name”+“hard disk drive number”+“path on hard disk”    -   “IP address”+“drive letter”+“path on hard disk”    -   “IP address”+“hard disk drive number”+“path on hard disk”    -   “MAC address”+“drive letter”+“path on hard disk”    -   “MAC address”+“hard disk drive number”+“path on hard disk”

The feature value 1 (304) and the feature value 2 (308) are, forexample, outputs of a hash function, such as Message Digest Algorithm 5(MD5) or Secure Hash Algorithm 1 (SHA1), which outputs fixed-length datafor input data to make it difficult to find different input dataproviding the same output.

The terminal log 12 is recorded for each client. That is, the terminallog 12 a is recorded for the client 10 a and terminal log 12 b isrecorded for the client 10 b. The terminal log collection program 21collects the terminal logs 12 a and 12 b into the integrated log 22. Thedata format of the integrated log 22 is similar to that of the terminallog 12.

FIG. 4 illustrates the data format of an information asset list 32stored in a storage device in the log analysis server 30 whichcorresponds to the storage device 203 of FIG. 2. The information assetlist 32 is data of analysis results of the integrated log 22 that thecorrelation analysis program 31, which implements the correlationanalyzer in the log analysis server 30, has obtained by analyzing theintegrated log 22 and then has stored in the storage device 203. Theinformation asset list 32 has the same number of different sheets 410 a,410 b, and 410 c as the number of different information assets, and eachof the sheets includes a sheet name 404 and table data having one ormore entries, each of which includes a path 401, a file name 402, and afeature value 403. The sheet 410 indicates where and how many identicalinformation assets of the information asset management reporting system100 are present.

The configuration of the information asset management reporting system100 and the data formats used in the system have been described above.Now, a flow of operations and example operations of the informationasset management reporting system 100 will be described with referenceto FIGS. 5 to 11.

FIG. 5 is a flow chart illustrating the operation of the monitoringprogram 11 that is executed by the CPU 201 of the client 10. FIG. 5 alsoillustrates pairs of events that are monitored by the monitoring program11. When the user 1 powers the client 10 on (step 501), the monitoringprogram 11 is activated when the OS boots (step 502). The activatedmonitoring program 502 monitors a variety of events such as networkcommunication, use of portable media, printing, and file formatconversion that occur at the client 10 (step 503). The pairs of eventscan be divided mainly into a pair of an export 510 and an import 511 anda pair of a conversion operation 512 and an inverse conversion operation513. Here, the export 510 is an event of removing a file from managementof the information asset management reporting system 100 which providesa network environment and the import 511 is an event of bringing a fileback under management, and the conversion operation 512 is an operationevent performed by the user 1 for file format conversion. The monitoringprogram 11 records the monitored events in a terminal log 12 (step 504).The monitoring program 11 is kept running while the client 10 is on(step 505). If the user 1 shuts the client 10 down, the monitoringprogram 506 is deactivated (step 506) and the client 10 is powered off(step 507). Through these operations of the monitoring program 11, allevents occurring at the client 10 can be recorded in the terminal log12.

Each pair of events shown in FIG. 5 need not occur in the same client.For example, the export 510 and the import 511 in network communication,of course, may be performed at different clients 10.

FIG. 6 is a flow chart illustrating the operation of the correlationanalysis program 31 that functions as a correlation analyzer and isexecuted by the CPU of the log analyzer server 30. First, thecorrelation analysis program 31 reads the integrated log 22 from the logcollection server 20 (step 601) and sorts entries of the integrated log22 by the date and time 301 (step 602). The correlation analysis program31 begins processing the entries of the integrated log 22 sequentially,oldest first. Specifically, the correlation analysis program 31 extractsan entry from the integrated log 22, oldest first, and determines thetype of an event 305 in the extracted entry (step 603). If the type ofthe event 305 of the extracted entry is the export 510 or the conversionoperation 512 described above with reference to FIG. 5, the correlationanalysis program 31 searches the information asset list 32 for an entrymatching both a path 1 (302) and a file name 1 (303), which arepre-event file attributes, in the extracted entry (step 604). Thecorrelation analysis program 31 then updates a sheet 410 including thematching entry in the information asset list 32 with a path 2 (306), afile name 2 (307), and a feature value 2 (308), which are post-eventfile attributes, in the extracted entry (step 605). On the other hand,if it is determined at step 603 that the type of the event 305 is theimport 511 or the inverse conversion operation 513 described above withreference to FIG. 5, the correlation analysis program 31 searches theinformation asset list 32 for an entry matching the feature value 2(308), which is one post-event file attribute, in the extracted entry(step 606).

If an entry matching the feature value 2 is found in the informationasset list 32 (YES at step 606), the correlation analysis program 31updates a sheet 410 including the found entry in the information assetlist 32 in the same manner as at step 605. If no entry matching thefeature value 2 is found (NO at step 606), the correlation analysisprogram 31 adds a new sheet 410 including the path 2 (306), the filename 2 (307), and the feature value 2 (308) which are post-event fileattributes, as a new information asset, to the information asset list 32(step 607). When the processing of the entry extracted from theintegrated log 22 is completed as described above, the correlationanalysis program 31 returns to step 603 to perform processing of thenext entry until processing of all entries of the integrated log 22 iscompleted (step 608). Through these operations of the correlationanalysis program 31, it is possible to determine the whereabouts ofinformation assets in the information asset management reporting system100 or to determine whether or not information assets have been widelydistributed, exposing them to risk.

Although, if no entry matching the feature value 2 is found in theinformation asset list 32, the correlation analysis program 31 adds anew sheet 410 including the path 2 (306), the file name 2 (307), and thefeature value 2 (308), as a new information asset, to the informationasset list 32 at step 607 in this example, the new information asset maybe stored and managed in a database different from the information assetlist 32. Alternatively, the new information asset may not be stored inany database.

Specific events, and specific operations of the monitoring program 11and the correlation analysis program 31 according to the events will nowbe described with reference to FIGS. 7 to 9.

FIG. 7 illustrates an example of network communication where a file isattached to an email and the attached file is saved. Multiple files canbe attached to a single email, and it is assumed in this example thatthe user 1 a has attached both a file 701 and a file 702 to an email 43.Here, the monitoring program 11 a calculates a feature value 1 of thefile 701 and records an entry 711, indicating that the file 701 havingthe feature value 1 has been attached to the email, in a terminal log 12a and calculates a feature value 2 of the file 702 and records an entry712, indicating that the file 702 having the feature value 2 has beenattached to the email, in the terminal log 12 a.

At the receiving side of the email 43, a file 703 having a path 3 and afile name 3 and a file 704 having a path 4 and a file name 4 aregenerated when the user 1 b has saved the files 701 and 702 attached tothe email 43. Here, the monitoring program 11 b calculates a featurevalue 3 of the file 703 and records an entry 713, indicating that thefile 703 having the feature value 3 has been saved, in a terminal log 12b and calculates a feature value 4 of the file 704 and records an entry714, indicating that the file 704 having the feature value 4 has beensaved, in the terminal log 12 b. The terminal log collection program 21collects the terminal log 12 a and the terminal log 12 b and aggregatesthem into an integrated log 22.

The correlation analysis program 31 reads the integrated log 22 andanalyzes the whereabouts of information assets. Prior to this analysis,it is assumed that a sheet 721 indicating the whereabouts of the file701 and a sheet 722 indicating the whereabouts of the file 702 havealready been stored in the information asset list 32. When thecorrelation analysis program 31 reads the entry 711, the correlationanalysis program 31 finds an entry in the sheet 721 which matchespre-event file attributes (path 1 and file name 1) in the entry 711,since the type of the event 305 is an export “attachment to email”. Thecorrelation analysis program 31 then adds post-event file attributes tothe sheet 721 to update the sheet 721 with a sheet 723 indicating thatthe information asset having the feature value 1 is also present in anemail as shown in FIG. 7. Similarly, when the correlation analysisprogram 31 reads the entry 712, the correlation analysis program 31updates the sheet 722 with a sheet 724 indicating that the informationasset having the feature value 2 is also present in an email as shown inFIG. 7.

In addition, when the correlation analysis program 31 reads the entry713, the correlation analysis program 31 finds an entry in the sheet 723which includes an element identical to a post-event file attribute(feature value 3) in the entry 713, since the type of the event 305 isan import “saving of attachment”. The correlation analysis program 31then adds post-event file attributes (path 3 and file name 3), which aregenerated as the file attached to the mail is saved, to the sheet 723 toupdate the sheet 723 with a sheet 725 indicating that the identicalinformation assets are stored in the same sheet as shown in FIG. 7.Similarly, when the correlation analysis program 31 reads the entry 714,the correlation analysis program 31 updates the sheet 724 with a sheet726 indicating that the identical information assets are stored in thesame sheet as shown in FIG. 7.

As is apparent from the above description, through the event monitoringand recording of the monitoring program 11 and the analysis of thecorrelation analysis program 31 for attachment of a file to an email andsaving of the attached file, it is possible to easily determine whereand how many information assets (files) of the information assetmanagement reporting system 100 including attachments to emails arepresent. Although the example of FIG. 7 has been described only for thecase where a file is attached to an email and the attached file issaved, it is also possible to track information assets in other casessuch as attachment of a file to an Instant Message (IM) and saving ofthe file attached to the IM, web uploading and downloading, and sendingand receiving of a file through FTP.

FIG. 8 illustrates an example of the use of a portable medium where afile is written to a USB flash memory and the file is copied from theUSB flash memory. Multiple files can be written to a USB flash memory,and it is assumed in this example that the user 1 a has written both afile 801 having a path 1 and a file name 1 and a file 802 having a path2 and a file name 2 to a USB flash memory 50. Here, the monitoringprogram 11 a calculates a feature value 1 of the file 801 and records anentry 811, indicating that the file 801 having the feature value 1 hasbeen written to the USB flash memory 50 having a unique device ID, in aterminal log 12 a and calculates a feature value 2 of the file 802 andrecords an entry 812, indicating that the file 802 having the featurevalue 2 has been written to the USB flash memory 50 having the uniquedevice ID, in the terminal log 12 a.

A file 803 having a path 3 and a file name 3 and a file 804 having apath 4 and a file name 4 are generated at the client 10 b when the user1 b has copied the files from the USB flash memory 50 to the client 10b. Here, the monitoring program 11 b calculates a feature value 3 of thefile 803 and records an entry 813, indicating that the file 803 havingthe feature value 3 has been copied to the client 10 b, in a terminallog 12 b and calculates a feature value 4 of the file 804 and records anentry 814, indicating that the file 804 having the feature value 4 hasbeen copied to the client 10 b, in the terminal log 12 b. The terminallog collection program 21 collects the terminal log 12 a and theterminal log 12 b and aggregates them into an integrated log 22.

The correlation analysis program 31 reads the integrated log 22 andanalyzes the whereabouts of information assets. Prior to this analysis,it is assumed that a sheet 821 indicating the whereabouts of the file801 and a sheet 822 indicating the whereabouts of the file 802 havealready been stored in the information asset list 32. When thecorrelation analysis program 31 reads the entry 811, the correlationanalysis program 31 finds an entry in the sheet 821 which matchespre-event file attributes (path 1 and file name 1) in the entry 811,since the type of the event 305 is an export “writing to USB flashmemory”. The correlation analysis program 31 then adds post-event fileattributes to the sheet 821 to update the sheet 821 with a sheet 823indicating that the information asset having the feature value 1 is alsoincluded in the USB flash memory having the unique device ID as shown inFIG. 8. Similarly, when the correlation analysis program 31 reads theentry 812, the correlation analysis program 31 updates the sheet 822with a sheet 824 indicating that the information asset having thefeature value 2 is also included in the USB flash memory having theunique device ID as shown in FIG. 8.

In addition, when the correlation analysis program 31 reads the entry813, the correlation analysis program 31 finds an entry in the sheet 823which includes an element identical to a post-event file attribute(feature value 3) in the entry 813, since the type of the event 305 isan import “copying from USB flash memory”. The correlation analysisprogram 31 then adds post-event file attributes (path 3 and file name3), which are new file attributes generated as the file is copied to theclient 10 b, to the sheet 823 to update the sheet 823 with a sheet 825indicating that the identical information assets are stored in the samesheet as shown in FIG. 8. Here, it can also be considered that thecontents of the file written to the USB flash memory 50 have beenchanged. In this case, since the feature value has also been changed,the correlation analysis program 31 adds a new sheet 410 to theinformation asset list 32 and manages the information asset (i.e.,post-event file attributes) in the new sheet 410 as described above atstep 607 in FIG. 6. Similarly, when the correlation analysis program 31reads the entry 814, the correlation analysis program 31 updates thesheet 824 with a sheet 826 indicating that the identical informationassets are stored in the same sheet as shown in FIG. 8.

As is apparent from the above description, through the event monitoringand recording of the monitoring program 11 and the analysis of thecorrelation analysis program 31 for writing of a file to a USB flashmemory and copying of the file from the USB flash memory, it is possibleto easily determine where and how many information assets (files) of theinformation asset management reporting system 100 including USB flashmemories are present. Although the example of FIG. 8 has been describedonly for the case where the USB flash memory is used, it is alsopossible to track information assets when any other portable medium suchas a floppy disk, a CD-R/DVD-R, or a DVD-RAM is used.

FIG. 9 illustrates an example of printing where a file is printed onpaper and the file printed on the paper is scanned. It is assumed inthis example that the user 1 a has printed a file 901 having a path 1and a file name 1 on paper 61 and the user 1 b has scanned the paper 61and then saved the scanned data as a file 902 having a path 2 and a filename 2. Here, the monitoring program 11 a calculates a feature value 1of the file 901 and records an entry 911 indicating that the file 901having the feature value 1 has been printed, together with the number ofcopies, in a terminal log 12 a. For example, when a file is printed onpaper, the monitoring program 11 a embeds the feature value 1 as adigital watermark into the file as described in Japanese PatentApplication Publication No. 2006-2794640 entitled “INFORMATION EMBEDDINGAPPARATUS, PRINT MEDIUM, AND INFORMATION READING APPARATUS”. When theuser 1 b has scanned the file data printed on the paper, the monitoringprogram 11 b detects the embedded digital watermark as described in thispublication and records, in a terminal log 12 b, an entry 912 includinga detected feature value 2 when the file 902 is saved. The terminal logcollection program 21 collects the terminal log 12 a and the terminallog 12 b and aggregates them into an integrated log 22.

The correlation analysis program 31 reads the integrated log 22 andanalyzes the whereabouts of information assets. Prior to this analysis,it is assumed that a sheet 921 indicating the whereabouts of the file901 has already been stored in the information asset list 32. When thecorrelation analysis program 31 reads the entry 911, the correlationanalysis program 31 finds an entry in the sheet 921 which matchespre-event file attributes (path 1 and file name 1) in the entry 911,since the type of the event 305 is an export “printing”. The correlationanalysis program 31 then adds post-event file attributes to the sheet921 to update the sheet 921 with a sheet 922 indicating that theinformation asset having both the feature value 1 and the number ofcopies is included in the paper as shown in FIG. 9. When the correlationanalysis program 31 reads the entry 912, the correlation analysisprogram 31 finds an entry in the sheet 922 which includes an elementidentical to a post-event file attribute (feature value 2) in the entry912, since the type of the event 305 is an import “scanning”. Thecorrelation analysis program 31 then adds post-event file attributes(path 2 and file name 2) of the file 902, which saves the scanned data,to the sheet 922 to update the sheet 922 with a sheet 923 indicatingthat the identical information assets are stored in the same sheet asshown in FIG. 9.

As is apparent from the above description, through the event monitoringand recording of the monitoring program 11 and the analysis of thecorrelation analysis program 31 for printing and scanning of a file, itis possible to easily determine where and how many information assets(files) of the information asset management reporting system 100including those printed on paper are present. Accordingly, it is alsopossible to track information assets when the information assets havebeen printed or scanned.

The operation of the information asset management reporting system 100has been described above with reference to specific examples. FIG. 10illustrates an example of a screen interface which displays aninformation asset list 32 to a manager 2 at the log analysis server 30.

The sheets 410 a, 410 b, and 410 c shown in FIG. 4 are displayed in atree format in a left region of the screen interface 1001 that displaysthe information asset list 32, and the sheet names 404 shown in FIG. 4are also displayed as the respective names of the sheets. The manager 2can edit the sheet names 404 on the screen interface 1001. When themanager 2 selects one sheet 410 from the tree in the left region througha mouse click or the like, a list of information assets included in thesheet 410 is displayed in a right region of the screen interface 1001.

The screen interface for displaying the information asset list 32 mayalso be implemented as shown in FIG. 11. A screen interface 1100 shownin FIG. 11 is realized through cooperation of the log server 30 and theindex server 70. The index server 70 provides an interface, for examplethrough a web browser, and can be used not only by the manager 2 butalso by the user 1.

The screen interface 1100 includes a left region where search conditionsare entered and a right region where search results are displayed. Akeyword 1101, an information creation date and time 1102, or a path 1103can be specified as a search condition. When a search button 1104 ispressed, the log server 70 searches indexed information and displayspaths 1105 and file names 1106 as a search result in the right regionand also displays a button 1107 for viewing identical files. Othersearch conditions may also be provided. For example, a file hash valueor a USB flash memory device ID can be specified as a search condition.

When the view-identical-files button 1107 is pressed, the log server 30retrieves files, which are identical to a file identified by both thepath 1105 and the file name 1106, from the information asset list 32 anddisplays the retrieved files in an information asset list dialog box1110. A “close” button for closing the dialog box 1110 is also displayedin the dialog box 1110.

Using the screen interface 1001 shown in FIG. 10, the manager 2 caneasily and correctly determine the whereabouts of information assets inan organization. In addition, using the screen interface 1100 shown inFIG. 11, the manager 2 or the user 1 can retrieve specific informationassets and can also easily and correctly determine the whereabouts offiles identical to the retrieved information assets.

Reference will now be made to an information asset management reportingsystem according to the second embodiment which has the sameconfiguration as the information asset management reporting system 100according to the first embodiment described above while it can trackinformation assets even when they have undergone file format changessuch as file decompression or encryption.

FIG. 12 illustrates example file compression and decompression as anexample of file format conversion. The file compression is a process ofcompressing one or more files to archive them into a single file. It isassumed in this example that the user 1 a has compressed both a normalfile 1201 having a path 1 and a file name 1 and a normal file 1202having a path 2 and a file name 2 into a compressed file 1203 having apath 3 and a file name 3. Here, the monitoring program 11 a calculates afeature value 1 of the normal file 1201 and records an entry 1211,indicating that the normal file 1201 having the feature value 1 has beencompressed, in a terminal log 12 a and calculates a feature value 2 ofthe normal file 1202 and records an entry 1212, indicating that thenormal file 1202 having the feature value 2 has been compressed, in theterminal log 12 a.

A normal file 1204 having a path 4 and a file name 4 and a normal file1205 having a path 5 and a file name 5 are generated when the user 1 bhas decompressed the compressed file 1203. Here, the monitoring program11 b calculates a feature value 4 of the normal file 1204 and records anentry 1213, indicating that the normal file 1204 having the featurevalue 4 has been decompressed, in a terminal log 12 b and calculates afeature value 5 of the normal file 1205 and records an entry 1214,indicating that the normal file 1205 having the feature value 5 has beendecompressed, in the terminal log 12 b. The terminal log collectionprogram 21 collects the terminal log 12 a and the terminal log 12 b andaggregates them into an integrated log 22.

The correlation analysis program 31 reads the integrated log 22 andanalyzes the whereabouts of information assets. Prior to this analysis,it is assumed that a sheet 1221 indicating the whereabouts of the normalfile 1201 and a sheet 1222 indicating the whereabouts of the normal file1202 have already been stored in the information asset list 32. When thecorrelation analysis program 31 reads the entry 1211, the correlationanalysis program 31 finds an entry in the sheet 1221 which matchespre-event file attributes (path 1 and file name 1) in the entry 1211,since the type of the event 305 is a conversion operation “filecompression”. The correlation analysis program 31 then adds post-eventfile attributes to the sheet 1221 to update the sheet 1221 with a sheet1223 indicating that the information asset having the feature value 1 isalso included in the compressed file as shown in FIG. 7. Similarly, whenthe correlation analysis program 31 reads the entry 1212, thecorrelation analysis program 31 updates the sheet 1222 with a sheet 1224indicating that the information asset having the feature value 2 is alsoincluded in the compressed file as shown in FIG. 7.

In addition, when the correlation analysis program 31 reads the entry1213, the correlation analysis program 31 finds an entry in the sheet1223 matching a post-event file attribute (feature value 4) in the entry1213, since the type of the event 305 is an inverse conversion operation“file decompression.” The correlation analysis program 31 then addspost-event file attributes (path 4 and file name 4), which are generatedas the file is decompressed, to the sheet 1223 to update the sheet 1223with a sheet 1225 indicating that the identical information assets arestored in the same sheet as shown in FIG. 12. Similarly, when thecorrelation analysis program 31 reads the entry 1214, the correlationanalysis program 31 updates the sheet 1224 with a sheet 1226 indicatingthat the identical information assets are stored in the same sheet asshown in FIG. 12.

As is apparent from the above description, through the event monitoringand recording of the monitoring program 11 and the analysis of thecorrelation analysis program 31 for compression of a file anddecompression of the file, it is possible to easily determine where andhow many information assets (files) of the information asset managementreporting system 100 including compressed files are present. Althoughthe example of FIG. 12 has been described only for the case of filecompression and decompression, it is also possible to perform eventmonitoring and log analysis in the same manner in other cases such asencryption and description of a file.

Reference will now be made to an information asset management reportingsystem according to the third embodiment which can prevent anyunauthorized use of files and protect lost or stolen files even if aportable medium is coupled to a private PC and files are then improperlycopied from the portable medium to the PC or if a portable medium islost or stolen or if a portable medium is coupled to a PC not undermanagement of the network environment for improperly using files in theportable medium.

FIG. 13 illustrates the overall configuration of an information assetmanagement reporting system 1300 according to the third embodiment. Theinformation asset management reporting system 1300 includes a client 10and a Work Flow (WF) server 1320. The WF server 1320 includes a WFmanager 1321 running on the server 1320 and includes an exportmanagement database 1322, a portable medium list 1323, and a client list1324 that are stored as databases in the server 1320. The client 10includes a monitoring program 1311 and a WF agent 1312 running on theclient 10 and includes a terminal log 1313 stored in the client 10. Theother components such as the log collection server 20 and the loganalysis server 30 are identical to those of the information assetmanagement reporting system according to the first embodiment describedabove. The network 40 is not limited to an in-house network and may bethe Internet. Of course, the client 10 has the same internalconfiguration as that shown in FIG. 2. The terminal log 1313 is storedin the storage device 203 which implements a storage unit of the client10. Similar to the monitoring program 1311, the WF agent 1312 runs onthe CPU 201 which is a processor of the client 10. The WF server 1320also has the same hardware configuration as that of the client 10 shownin FIG. 2.

The configuration of the portable medium 50 will now be described withreference to FIG. 14 which is a block diagram of the portable medium 50.Specifically, the portable medium 50 is a readable/writable portablestorage device such as a USB flash memory, a compact flash memory card,or a memory stick. This portable medium 50 includes a normal accessibleregion 1440 and an invisible region 1450. The normal accessible region1440 is a region that is allocated to allow the user to read and write afile through the OS (i.e., a region that is defined as a partition) andthe invisible region 1450 that is not allocated as a partition and isinvisible to the OS. The invisible region 1450 is used as a region forwriting a log. One example of the writing method is to write the logdirectly in sector units in the region. The log includes a date and time1431, a message 1432, and a checksum 1433. The checksum 1433 is used tocheck whether or not the date and time 1431 and the message 1432 havebeen altered (or tampered). Accordingly, the invisible region 1450cannot be read even when the portable medium 50 is read from the clientusing Windows Explorer or the like, and thus it is not possible to alteror delete the log using general methods. In order to set the size of theinvisible region 1450 greater than a specific size, the manager maycollectively set the size of the normal accessible region 1440 of eachportable medium 50 purchased in an organization to be less than theoriginal size and then distribute the portable media 50 to users.

Alternatively, the invisible region 1450 may be a tamper-resistantregion of the portable medium 50. All of the date and time 1431, themessage 1432, and the checksum 1433 or only the checksum 1433 may bearranged in the tamper-resistant region. Whether all of the date andtime 1431, the message 1432, and the checksum 1433 or only the checksum1433 is arranged in the tamper-resistant region may be determinedaccording to the size of the tamper-resistant size. For example,verification of secret information called a “Personal IdentificationNumber (PIN)” may be required as a condition for granting access to thetamper-resistant region or alternatively the tamper-resistant region maybe accessed exclusively from a dedicated driver.

In addition, the date and time 1431, the message 1432, and the checksum1433 may be written to the normal accessible region 1440 as a file whichcan be encrypted and decrypted only by a log recording program 1410. Thelog recording program 1410 opens a file handle in exclusive mode whenthe log file is opened, thereby preventing other programs from alteringor deleting the log while the log recording program 1410 is running.

Generally, the portable medium 50 is assigned a serial number or thelike by a manufacturer. Specifically, the portable medium 50 is assigneda manufacturer ID 1460 and a serial ID 1461 which cannot be changed. Theportable medium 50 is uniquely identified using the manufacturer ID andall portable media 50 present in the organization are managed in theportable medium list 1323.

Alternatively, an identification number 1421 and a digital signature1422 may be written to the invisible region 1450 so that the portablemedium 50 is uniquely identified in the case where the portable medium50 does not have the manufacturer ID 1460 and the serial ID 1461 orwhere the portable medium 50 has the manufacturer ID 1460 and the serialID 1461 which cannot be read by a PC. The manager collectively assignsthe identification number 1421 and the digital signature 1422 to eachportable medium 50 purchased in an organization before distributing theportable media 50 to users. This makes it possible to distinguishbetween the portable media 50 lent by the organization and mediaindividually purchased by users.

The log recording program 1410 is stored in the normal accessible region1440. The log recording program 1410 is a program for writing a log inthe invisible region 1450. The log recording program 1410 may be copiedto the portable medium 50 when the portable medium 50 is registered inthe portable medium list 1323 of the WF server 1320. Alternatively, thelog recording program 1410 may be stored in a read-only region on theportable medium which has properties similar to those of a CD-ROM.

A file in a conditional self-decodable format (conditionalself-decryption file) 1400 stored in the normal accessible region 1440will now be described with reference to FIG. 14. The file format of theconditional self-decryption file 1400 is a format for writing to theportable medium 50. The conditional self-decryption file 1400 includes avariety of information described below.

-   -   Password 1401: Secret information allowing only the user 1 to        decrypt the file.    -   Export Destination PC Identifier 1402: Information registered in        the client list 1324 for uniquely identifying the client 10. For        example, this information is a certificate which contains a        machine name, a MAC address, an HDD serial number, an OS license        number, OS owner information, a mail address, a login user name,        an IP address, a motherboard hardware number, a CPU type, a BIOS        type, and a Trusted Platform Module (TPM) chip.    -   Portable Medium Identifier 1403: Information registered in the        portable medium list 1323 for uniquely identifying the portable        medium 50.    -   Export Period 1404: Information indicating the period during        which export is granted.    -   Log Recording Program Identifier 1405: Information uniquely        identifying the log recording program 1410. Examples of this        information include the name of the program and the hash value        of the program file.    -   Action 1406: Information indicating an action that is performed        when conditions for decryption are not satisfied. Examples of        this action include prohibition of decryption, and forced        deletion.    -   Encryption Date and Time 1407: Information indicating the date        and time when the conditional self-decryption file 1400 was        created.

Data contained in and associated with the export management database1322 used in the information asset management reporting system 1300 willnow be described with reference to FIG. 18. The export managementdatabase 1322 stored in the WF server 1320 includes an export file table1801 for managing files stored in portable media 50 and an exportdestination usage history table 1802 for managing how portable media 50are used in export destinations. Each of the export file table 1801 andthe export destination usage history table 1802 includes the same numberof sheets as that of the portable media 50 managed in the portablemedium list 1323.

The export file table 1801 is constructed by storing results ofretrieving, using portable medium device IDs managed in the portablemedium list 1323, files that are stored in portable media having thesame device IDs as those managed in the portable medium list 1323 fromthe information asset list 32 of the information asset managementreporting system 100 according to the first embodiment described above.

The export destination usage history table 1802 is constructed bycollecting the contents of a log in the invisible region 1450 of eachportable medium 50. When the portable medium 50 is coupled to the client10, the monitoring program 1311 running on the client 10 reads theinvisible region 1450 and collects the contents of the log in theinvisible region 1450 and then stores the collected contents of the login the terminal log 1313. Then, the terminal log collection andcorrelation analysis programs 21 and 31 sequentially collect the loginformation to construct a sheet of the export destination usage historytable 1802 as shown in FIG. 18.

A flow of operations and example screens of the information assetmanagement reporting system 1300 according to the third embodiment shownin FIG. 13 will now be described with reference to FIGS. 15 to 17.

FIG. 15 is a flow chart illustrating the operation of the informationasset management reporting system 1300 when the user 1 exports a file tothe portable medium 50. At step 1501, the user 1 logs into the WF agent1312 of the client 10 and applies for export and sets conditions fordecryption.

An example of an application screen displayed on the display unit of theclient 10 at step 1501 will now be described with reference to FIG. 16A.The application screen 1600 includes an applicant field 1601 displayingthe name of the logged-in user, a reference button 1603 for specifying afile to be exported and an export file field 1602 displaying thespecified file, a reference button 1605 for specifying an exportdestination client and an export destination field 1604 displaying thespecified export destination client, an export reason field 1606 forentering text describing the reason for export, a reference button 1608for specifying a portable medium used for export and a used portablemedium field 1607 displaying the specified portable medium, a periodfield 1609 for selecting a period of use of the portable medium from apull-down menu, a password field 1601 for specifying a password, and anapply button 1611.

After logging into the WF agent 1312, the user 1 presses the referencebutton 1603 to select a file which they desire to export from the clientto the portable medium 50. Then, the user 1 presses the reference button1605 to select a destination client, to which the file is to beexported, from among clients managed in the client list 1324. The client10, from which the file is written to the portable medium, is set as adefault destination client, and the user 1 specifies another exportdestination. The user 1 then presses the reference button 1608 to selecta portable medium for use in export from among portable media managed inthe portable medium list 1323. The user 1 then enters the reason forexport to the export reason field 1606 and selects a period in theperiod field 1609, and enters a password in the password field 1610. Theuser 1 presses the apply button 1611 after completing input of thesefields.

Returning to FIG. 15, at the next step 1502, the manager 2 logs into theWF manager 1321 of the WF server 1320 and checks the details of theapplication or the like.

An example approval screen at step 1502 will now be described withreference to FIG. 16B. An approval screen 1620 displayed on the displayunit of the WF server 1320 includes an applicant field 1621 displayingthe name of the applicant, an export file field 1622 displaying thespecified export file, a display button 1623 for displaying the contentsof the export file, an export destination field 1624 displaying thespecified export destination, a modify button 1625 for modifying thespecified export destination, an export reason field 1626 displaying thereason for export, a used portable medium field 1627 displaying thespecified portable medium used for export, a coupling history button1628 for viewing the coupling history of the portable medium, a periodfield 1629 displaying the period of export, a password field 1630 forconfirming that the password has been set, a decryption prohibitionradio button 1631 and a forced deletion radio button 1632 for specifyingan action to be taken in the case of violation, an approve button 1633,and a reject button 1634.

After logging into the WF manager 1321, the manager 2 presses thedisplay button 1623 confirms that information that should not beexported is not included in the export file and confirms that the exportdestination field 1624, the export reason field 1626, and the periodfield 1629 are correct. The manager 2 then presses the coupling historybutton 1628 to confirm that the portable medium 50 used for export hasnever been coupled to an unauthorized client or that there is no traceof unauthorized decryption of the export file. After confirming thesefacts, the manager 2 specifies an action to be taken in the case ofviolation using the decryption prohibition radio button 1631 or theforced deletion radio button 1632 and then presses the approve button1633 or the reject button 1634. Alternatively, when the coupling historybutton 1628 is pressed, the client list 1324 may be checked to highlighta log indicating that the portable medium was coupled to a PC which isnot managed in the client list 1324.

Returning to FIG. 15, at the next step 1503, the procedure proceeds tostep 1504 when the manager 2 has pressed the approve button 1633 at step1502 and proceeds to step 1505 when the manager 2 has pressed the rejectbutton 1634 at step 1502. At step 1505, rejection notification isprovided and the export procedure is then terminated.

At step 1504, the WF manager 1321 writes conditions for decryptionapproved in the approve screen 1602 as a file and assigns a signature tothe file approved for export in combination with the file of theconditions for decryption.

At step 1506, the user 1 performs an operation for writing the file fromthe client 10 to the portable medium 50 upon receiving approvalnotification from the WF agent 1312. In addition, when the portablemedium 50 is coupled to the client 10, it may be determined whether ornot the portable medium 50 is included in the portable medium list 1323and the portable medium 50 may be forced to be decoupled when theportable medium 50 is not included in the portable medium list 1323.

At step 1507, the monitoring program 1311 in the client 10, whichmonitors writing to the portable medium 50, verifies a signatureattached to conditions for decryption and the file to be written. Theprocedure proceeds to step 1508 if the verification has succeeded andproceeds to step 1509 if the verification has failed or if no signaturehas been attached. At step 1509, the monitoring program 1311 prohibitswriting to the portable medium 50 and terminates the procedure.

At step 1508 after the verification has succeeded, based on theconditions for decryption approved at step 1504, the monitoring program1311 encrypts the file to be exported into a conditional self-decryptionfile 1400 with the conditions for decryption embedded in the file 1400.

At step 1510, the monitoring program 1311 of the client 10 performswriting to the normal accessible region 1440 of the portable medium 50.At step 1511, the conditional self-decryption file 1400 is saved in theportable medium 50 and the procedure is then terminated.

When the user 1 couples the portable medium 50 to the client 10 (step1521), the monitoring program 1311 detects that the portable medium hasbeen coupled (step 1522) and reads log information from the invisibleregion 1450 and then records the log information in the terminal log1313 (step 1523). The terminal log 1313 is stored in the exportmanagement database 1322 as described above with reference to FIG. 18.

The flow of operations of an export destination of the portable medium50 will now be described with reference to FIG. 17.

When the user 1 couples the portable medium 50 to an export destinationPC (step 1701), the log recording program 1410 in the portable medium 50is automatically activated (step 1702). The log recording program 1410is not necessarily automatically activated and may be manually activatedby the user 1. The log recording program 1410 collects information ofthe destination PC coupled to the portable medium 50 (step 1703),generates a handle for opening the invisible region 1450 in exclusivemode to access the invisible region 1450, and records information of thedestination PC coupled to the portable medium 50 in a log (1704).Opening the handle in exclusive mode prevents reading and writing ofinformation from and to the invisible region 1450, for example using acomputer forensic tool, while the log recording program 1410 is running.

The user 1 then clicks the conditional self-decryption file 1400 in theportable medium 50 to perform a decryption operation (step 1711), theconditional self-decryption file 1400 checks whether or not the logrecording program 1410 is running (step 1712). The self-decryption file1400 then checks whether or not the running program has been alteredusing the log recording program identifier 1405 (step 1713). Theself-decryption file 1400 stops decryption when it is determined at step1712 that the log recording program 1410 is not running or when it isdetermined at step 1713 that the log recording program 1410 has beenaltered (step 1714).

The self-decryption file 1400 then transmits conditions for decryptionto the log recording program 1410 (step 1715). The log recording program1410 checks, using the export destination PC identifier 1402, whether ornot the PC coupled to the portable medium 50 is a specified couplingdestination PC (step 1716). The log recording program 1410 then checks,using the portable medium identifier 1403, whether or not the portablemedium 50 being used is a specified portable medium (step 1717). The logrecording program 1410 then checks whether or not the time of thecoupling destination PC matches the date and time 1431 in the log in theinvisible region 1450. For example, the log recording program 1410checks whether or not the current time of the PC is later than the timewhen the portable medium 50 was decoupled last or whether or not thecurrent time is later than the date and time when decryption of theconditional self-decryption file 1400 succeeded or failed last.Alternatively, the log recording program 1410 may check, using theencryption date and time 1407, whether or not the current time of the PCis later than the encryption date and time. The log recording program1410 then checks, using the export period 1404, whether or not thecurrent time is within a predetermined period from the approved date andtime (step 1719). Finally, the log recording program 1410 requests thatthe user 1 enter a password and checks whether or not the enteredpassword is identical to the password 1401 (step 1720).

If the checked result at any of the steps 1716 to 1720 is negative, thelog recording program performs an action specified in the action 1406and logs a message indicating the failed decryption in the invisibleregion 1450 (step 1722). If the checked results at steps 1716 to 1720are all positive, the log recording program 1410 outputs a prompt askingthe user 1 to specify a decryption target (step 1721) and decrypts thespecified decryption target and logs a message indicating successfuldecryption in the invisible region 1450 (step 1722).

When the user 1 decouples the portable medium 50 from the PC, the logrecording program 1410 logs a message indicating the decoupling in theinvisible region 1450 when the program is terminated (step 1732).

Alternatively, a program into which the conditional self-decryption file1400 and the log recording program 1410 are integrated may perform steps1711 to 1722 in the flow of operations shown in FIG. 17 in order todetermine whether or not the conditions for decryption are satisfied.

Although the information asset management reporting system 1300 of thisembodiment has been described for the case where an information asset(or file) is written to the portable medium 50, the invention is notlimited to the case of writing to the portable medium 50 and the sameinformation asset management can be performed in other cases such asattachment of a file to an email or saving of a file in a portablenotebook PC or PDA. The email and the notebook computer or PDA may bereferred to as a portable medium in a broad sense. The destination of afile attached to an email, and a notebook computer or PDA may all bemanaged in the WF server 1320 and conditions for decryption of theconditional self-decryption file may be changed appropriately for thecases of employing email and portable note PC or PDA, so that the sameinformation asset management as in the case where the file is written tothe portable medium 50 can be applied to such cases.

According to the information asset management reporting system of thethird embodiment described above, when a file is exported by copying itto a portable medium, information indicating a PC to which the portablemedium has been coupled is left in the portable medium so that, througha later examination, it is possible to check whether or not anyunauthorized use of the file such as copying of the file to a PC at homehas occurred. By checking whether or not the conditional self-decryptionfile satisfies conditions for decryption, it is possible to preventleakage of the file at an arbitrary PC even when the file has beencopied to a PC not under management. In addition, even when the portablemedium is found after being lost or stolen, it is possible to determinewhether or not any suspicious access was made to the file in a periodduring which the portable medium was away.

As described above, the information asset management reporting systemaccording to the invention can be applied to the network environment ofany information system in a call center which handles personalinformation, a business field which handles trade secretes, a designdevelopment field which handles intellectual property information, andthe like. The information asset management reporting system according tothe invention can also be applied to the network environment of anyinformation system in an outsourcing company which conducts work withbusiness information or the like received from customers.

Although the preferred embodiments of the present invention have beendisclosed for illustrative purposes, those skilled in the art willappreciate that various modifications, additions and substitutions arepossible, without departing from the scope and spirit of the inventionas disclosed in the accompanying claims.

The specification and drawings are, accordingly, to be regarded in anillustrative rather than a restrictive sense. It will, however, beevident that various modifications and changes may be made theretowithout departing from the spirit and scope of the invention as setforth in the claims.

1. An information asset management system in a network environmentcoupled to a terminal that is operated by a user and a log analyzer,wherein the terminal includes a monitoring unit that monitors operationsperformed by the user and outputs a terminal log including respectivefeature values of an information asset before and after a pair of eventsof the information asset occurs, and wherein the log analyzer includes acorrelation analyzer that analyzes whereabouts of the information assetbased on the feature values in the terminal log output by the monitorunit.
 2. The information asset management system according to claim 1,wherein the pair of events of the information asset is a pair of anexport of a first information asset from the network environment and animport of a second information asset into the network environment, andwherein the correlation analyzer compares a post-import feature value ofthe second information asset with a pre-export feature value of thefirst information asset to determine whether or not the secondinformation asset is identical to the first information asset andreports a list of the information assets based on the determination. 3.The information asset management system according to claim 2, wherein,when no pre-export feature value identical to the post-import featurevalue of the second information asset is found through the comparison ofthe correlation analyzer, the log analyzer registers the secondinformation asset after the import as a new information asset.
 4. Theinformation asset management system according to claim 1, wherein thepair of events of the information asset is a pair of a file formatconversion of a first information asset and an inverse file formatconversion of a second information asset, and wherein the correlationanalyzer compares a post-inverse-file-format-conversion feature value ofthe second information asset with a pre-file-format-conversion featurevalue of the first information asset to determine whether or not thesecond information asset is identical to the first information asset andreports a list of the information assets based on the determination. 5.The information asset management system according to claim 4, wherein,when no pre-file-format-conversion feature value identical to thepost-inverse-file-format-conversion feature value of the secondinformation asset is found through the comparison of the correlationanalyzer, the log analyzer registers the second information asset afterthe inverse file format conversion as a new information asset.
 6. Theinformation asset management system according to claim 1, wherein thepair of events of the information asset is a pair of writing of theinformation asset to a portable medium by the user and reading of theinformation asset from the portable medium, a pair of printing of theinformation asset and scanning of the printed information asset, or apair or transmission and reception of the information asset over anetwork.
 7. An information asset management system in a networkenvironment coupled to a terminal that is operated by a user, whereinthe terminal includes a processor for executing a program, wherein, whenwriting to a portable medium is performed, the processor executes theprogram so that only a conditional self-decryption file having acondition for decryption is permitted to be written to the portablemedium, and wherein the conditional self-decryption file includes anidentifier of an export destination terminal and an identifier of theportable medium to allow the export destination terminal to determinewhether or not the condition for decryption is satisfied.
 8. Theinformation asset management system according to claim 7, wherein theprocessor writes the conditional self-decryption file to a normalaccessible region that is allocated in the portable medium to allow auser of the portable medium to read and write a file through anoperating system.
 9. The information asset management system accordingto claim 8, wherein a log recording program that is operable on theexport destination terminal is stored in the normal accessible region ofthe portable medium.
 10. The information asset management systemaccording to claim 9, wherein, when the conditional self-decryption fileis decrypted, the log recording program writes information of the exportdestination terminal and a log indicating failure or success of thedecryption to an invisible region different from the normal accessibleregion in the portable medium.
 11. The information asset managementsystem according to claim 10, wherein the log recording programidentifies the portable medium using a manufacturer identifier andserial number assigned to the portable medium or using a uniqueidentifier written to the invisible region of the portable medium. 12.The information asset management system according to claim 11, whereinthe log recording program stops the decryption when the identifier ofthe portable medium included in the conditional self-decryption file isdifferent from the manufacturer identifier and serial number or from theunique identifier.
 13. A log analysis server for information assetmanagement, the log analysis server comprising: a correlation analyzerfor analyzing whereabouts of information assets based on feature valuesincluded in an integrated log that integrates terminal logs, each of theterminal logs including respective feature values of an informationasset of a user of a terminal generated before and after a pair ofevents of the information asset occurs; and an information asset listthat is updated based on the analysis of the correlation analyzer. 14.The log analysis server according to claim 13, wherein, when no featurevalue identical to the feature value after the pair of events occurs isfound, the correlation analyzer registers the information asset afterthe pair of events occurs as a new information asset in the informationasset list.
 15. A log analysis program for information asset managementexecuted by a processor included in a log analyzer, wherein the loganalysis program causes the processor to analyze whereabouts ofinformation assets based on feature values included in an integrated logthat integrates terminal logs, each of the terminal logs includingrespective feature values of an information asset of a user of aterminal before and after a pair of events of the information assetoccurs, and to update an information asset list based on the analysis.16. The log analysis program according to claim 15, wherein the loganalysis program causes the processor to search the information assetlist based on a search condition input to the log analyzer and to outputa search result.
 17. A portable medium for writing a file to theportable medium from a terminal coupled to an information assetmanagement system in a network environment, wherein a recording regionof the portable medium includes: a normal accessible region for storinga conditional self-decryption file, the normal accessible region beingallocated to allow a user of the portable medium to read and write afile through an operating system; and an invisible region different fromthe normal accessible region, wherein, when the conditionalself-decryption file is decrypted, terminal information of the coupledterminal and a log indicating failure or success of the decryption tothe invisible region.
 18. The portable medium according to claim 17,wherein a log recording program for writing the log to the invisibleregion is stored in the normal accessible region.
 19. The portablemedium according to claim 17, wherein the conditional self-decryptionfile stored in the normal accessible region includes, as an identifierof the portable medium, a manufacturer identifier and serial numberassigned to the portable medium or a unique identifier written to theinvisible region of the portable medium, the unique identifier beinguniquely assigned to the portable medium.